Bugzilla – Bug 1211611
VUL-0: CVE-2023-32082: etcd,cosign: etc: Key name can be accessed via LeaseTimeToLive API
Last modified: 2023-06-17 19:19:00 UTC
CVE-2023-32082 etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32082 https://bugzilla.redhat.com/show_bug.cgi?id=2208131 https://www.cve.org/CVERecord?id=CVE-2023-32082 https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.4.md https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md https://github.com/etcd-io/etcd/pull/15656 https://github.com/etcd-io/etcd/security/advisories/GHSA-3p4g-rcw5-8298
cosign embeds a vulnerable version of etcd, but doesn't use the etcd server, that can call the vulnerable etcd function. We can consider it not affected. etcd remains vulnerable: - SUSE:SLE-15-SP1:Update:Products:CASP40:Update - SUSE:SLE-15:Update